NY: Sloane Stecker Physical Therapy notifies 2,000 patients of breach
Sloane Stecker Physical Therapy recently notified 2,000 patients of a breach:
June 18, 2014
Re: HIPAA Breach Media Notification
Sloane Stecker Physical Therapy, PC recently learned that certain protected health information, including names, addresses, telephone numbers, and potentially other private information, was taken without its authorization from its secure computer network. It is publishing this notice as part of its ongoing commitment to patient privacy and in compliance with HIPAA requirements.
Although Sloane Stecker Physical Therapy informed patients that it “has good reason to believe that the protected health information was not taken for the purposes of identity theft or other similar related purpose,” it advised patients to place fraud alerts on their credit reports and monitor their credit reports. It also offered them a year of credit monitoring at the entity’s expense.
Although the letter does not come out and directly inform patients what happened , it appears that an employee or someone with authorized access to the database took patient information:
Sloane Stecker Physical Therapy wishes to ensure its patients that it maintains all patient information and records in a secure password protected database in compliance with all required laws and regulations. Only those persons who are authorized by our practice to access this database have been provided with the password.
With respect to the protected health information that was taken, Sloane Stecker Physical Therapy has sent breach notification letters to all of its patients. It additionally retained legal counsel, which secured the return of the protected health information that is believed to have been taken.
According to its notification to HHS, 2,000 patients were notified of the incident which Sloane Stecker coded as theft of information from EMR. The incident reportedly occurred on February 21. It is not clear from their HIPAA notice on their web site when the breach was actually discovered or why it took until June to notify patients. Nor does the letter indicate whether any health/medical information was improperly acquired.
Although the media notice was written on an appropriate level for comprehension, it would have been better if it had included the date of the incident, a clearer description of what happened (so that patients can assess their risk) and a fuller description of what kinds of information were acquired.